Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: 76476.337@CompuServe.COM (Robert McClenon) Newsgroups: comp.virus Subject: Self-Modifying SETVER.EXE (PC) Message-ID: <0010.9106251509.AA25956@ubu.cert.sei.cmu.edu> Date: 25 Jun 91 03:38:48 GMT Sender: Virus Discussion List Lines: 25 Approved: krvw@sei.cmu.edu I just discovered after twenty minutes of unpleasantness that SETVER.EXE, a feature of DOS 5.00, is implemented via SELF-MODIFYING CODE. The SETVER command is used to fake out applications which check the version of DOS. It seems that, rather than maintain a data file separate from the .EXE file, Microsoft has chosen to implement SETVER.EXE as a program which modifies itself whenever it is executed, so as to change a table that is part of itself. This is very unfriendly behavior for users who try to maintain any sort of discipline to control viruses, or any of various other sorts of discipline. Virex-PC gave me multiple alerts telling me that SETVER was trying to alter SETVER. Since the syntax of SETVER is a little peculiar and complex, I at first assumed that I had entered the command wrong and was doing something improper and that Virex-PC was protecting me from a mistake. It took me a while to realize that SETVER was REALLY trying to MODIFY itself and that Virex-PC was trying to protect me from a technically legitimate but undisciplined operation. Is anyone from Microsoft on this distribution list? Would they care to explain why they did such an undisciplined thing? Robert McClenon Neither my employer nor anyone else paid me to say this.